- some more possible NULL deref

gzysuzhou · Jan 10, 2011 · 9a0771d · 9a0771d
1 parent 26bb38e
commit 9a0771d
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/TSRM/tsrm_virtual_cwd.c b/TSRM/tsrm_virtual_cwd.c
@@ -497,6 +497,9 @@ CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC) /* {{{ */
 
 		*length = 1;
 		retval = (char *) malloc(2);
+		if (retval == NULL) {
+			return NULL;
+		}
 		retval[0] = DEFAULT_SLASH;
 		retval[1] = '\0';
 		return retval;
@@ -509,6 +512,9 @@ CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC) /* {{{ */
 
 		*length = state->cwd_length+1;
 		retval = (char *) malloc(*length+1);
+		if (retval == NULL) {
+			return NULL;
+		}
 		memcpy(retval, state->cwd, *length);
 		retval[0] = toupper(retval[0]);
 		retval[*length-1] = DEFAULT_SLASH;
@@ -636,6 +642,10 @@ static inline void realpath_cache_add(const char *path, int path_len, const char
 		realpath_cache_bucket *bucket = malloc(size);
 		unsigned long n;
 
+		if (bucket == NULL) {
+			return;
+		}
+
 #ifdef PHP_WIN32
 		bucket->key = realpath_cache_key(path, path_len TSRMLS_CC);
 #else
@@ -854,6 +864,9 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
 			}
 
 			pbuffer = (REPARSE_DATA_BUFFER *)tsrm_do_alloca(MAXIMUM_REPARSE_DATA_BUFFER_SIZE, use_heap_large);
+			if (pbuffer == NULL) {
+				return -1;
+			}
 			if(!DeviceIoControl(hLink, FSCTL_GET_REPARSE_POINT, NULL, 0, pbuffer,  MAXIMUM_REPARSE_DATA_BUFFER_SIZE, &retlength, NULL)) {
 				tsrm_free_alloca(pbuffer, use_heap_large);
 				CloseHandle(hLink);
@@ -940,9 +953,9 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
 			}
 
 			if (!isVolume) {
-				char * tmp = substitutename + substitutename_off;
+				char * tmp2 = substitutename + substitutename_off;
 				for(bufindex = 0; bufindex < (substitutename_len - substitutename_off); bufindex++) {
-					*(path + bufindex) = *(tmp + bufindex);
+					*(path + bufindex) = *(tmp2 + bufindex);
 				}
 
 				*(path + bufindex) = 0;
@@ -1357,6 +1370,10 @@ CWD_API char *virtual_realpath(const char *path, char *real_path TSRMLS_DC) /* {
 	/* realpath("") returns CWD */
 	if (!*path) {
 		new_state.cwd = (char*)malloc(1);
+		if (new_state.cwd == NULL) {
+			retval = NULL;
+			goto end;
+		}
 		new_state.cwd[0] = '\0';
 		new_state.cwd_length = 0;
 		if (VCWD_GETCWD(cwd, MAXPATHLEN)) {
@@ -1366,6 +1383,10 @@ CWD_API char *virtual_realpath(const char *path, char *real_path TSRMLS_DC) /* {
 		CWD_STATE_COPY(&new_state, &CWDG(cwd));
 	} else {
 		new_state.cwd = (char*)malloc(1);
+		if (new_state.cwd == NULL) {
+			retval = NULL;
+			goto end;
+		}
 		new_state.cwd[0] = '\0';
 		new_state.cwd_length = 0;
 	}
@@ -1381,7 +1402,7 @@ CWD_API char *virtual_realpath(const char *path, char *real_path TSRMLS_DC) /* {
 	}
 
 	CWD_STATE_FREE(&new_state);
-
+end:
 	return retval;
 }
 /* }}} */